The invention relates to a method, a computer program product and a server for controlling a user access via a computer network to at least one electronic resource stored within a protected data environment of a computer environment.
Electronic resources like software applications, databases, documents or electronic pictures stored within a software application container being accessible via a computer network are generally protected and user access requires some sort of authentication. However, such electronic resources stored within a protected and/or public data environment frequently contain information that should be available publicly, which means that access to these data should not require authentication.
In the state of the art, different techniques are well-known for providing user access to public and protected electronic resources, whereby protected resources can only be accessed by authorized users using a controlled access system. Authorization is commonly based on identification and authentication, wherein identification is a process that enables recognition of an entity by a system, and authentication is a process that verifies the identity of a user, device or other entity in a computer system, usually as a prerequisite to allow access to a resource in a computer system. In general, a realm is defined on a web or application server. Such a realm contains a collection of users, which may or may not be assigned to a group, that are controlled by the same authentication policy. A software or web application will often prompt a user to name a password for allowing access to protected resources. When the user has entered the user name and the password, the information is transmitted to the server, which either authenticates the user and sends the protected resource or fails to authenticate the user, in which case access to a protected resource is denied. Thereby, different access control strategies are well-known, which can be divided into discretionary access control (DAC), mandatory access control (MAC), multi-level/multi-lateral security methods and role-based access control (RBAC).
The DAC represents one of the most common access control strategies. This function is often referred to as identity-based access control (IBAC). An access to an electronic resource is based on the identity of the user (human user, process, system), whereby access control rights are defined individually from the user himself/herself and for each user individually. In contrast thereto, MAC grants access to electronic resources according to rules and properties of the user and the electronic resource. Therefore, the user is not capable of directly accessing an electronic resource and is required to use a reference monitor. This access control strategy is also referred to as rule-set-based access control. A multi-level security system is highly similar to a mandatory access control system and comprises several cascaded protection levels, which distinguish between a top-down and a bottom-up information flow. A multi-lateral security access model represents an enhanced access control strategy, which does not only consider top-down and bottom-up information flow, but also considers all sides of information access.
In computer system security, a role-based access control (RBAC) represents an approach to restrict system access to authorized users, which constitutes a more recent alternative approach to MAC and discretionary access control (DAC). Roles are created for various job functions defining electronic resource access properties, thus certain operations are assigned to specific roles. Groups of users are assigned to particular roles and those role assignments require the permission to perform particular system functions. Since users are not assigned permissions directly, but only acquire them by means of their role, management of individual user rights can be performed centrally, whereby references from one electronic resource to another one are handled by a role mechanism.
According to the example shown in FIG. 2, three roles “R1”, “R2” and “R3” are depicted, whereby each role allows access to certain documents of a web application. A user being assigned to role “R1” has access to documents D, H, G and I. A user assigned to role “R2” has access to documents A and C and an “R3” user has access to documents B, E and F. All of said three roles “R1”, “R2” and “R3” are capable of accessing shared resources 24, which can be public electronic documents, such as help menus, setting menus, public scripts and other software services. Consequently, all of the documents share certain resources 24 (images, scripts, HTML markup), whereby references 22 (links from one document to another one) will be handled by the role mechanism as usual.
Furthermore, a resource protection as specified in Sun's Servlet Specification 2.4/2.5, incorporated herein by reference, comprises the definition of security constraints as a declarative way to protect web content. Such security constraints allow for the definition of certain address ranges for accessing electronic resources, extension patterns of type of resource data and access methods for defining access actions applied to the addressed electronic resource. FIG. 3 exemplarily illustrates the definition of a security constraint of a web resource for addressing the URL pattern “/*”, “/acme/wholesale/*” and “/acme/retail/*”. Within these address ranges, documents can be accessed for displaying images, html web pages and executing Java-scripts. Thereby distinct access actions “get” and “post” as http-methods can be applied on these electronic resources. This security constraint is defined under a role, which is referred to as role “R1”. The drawback of such a fixed security constraint definition resides in the aspect that URL patterns and extension patterns cannot be combined and security constraints cannot be changed dynamically.
The drawback of such role-based access control resides in the aspect that all users have to be authenticated. An ad-hoc resource access authorization for non-authenticated users is not possible with the role-based approach, since links and extensions as defined for instance in Sun's Servlet Specification 2.4/2.5 do not allow a change of navigation structure and resource location of the web application during run-time. Therefore, a modified resource access authorization requires a restart of the web application in order to adapt the role mechanism to modified access roles.
A well known mechanism for providing indirect access to a protected electronic resource is the use of One-Time Uniform Resource Identifiers, preferably One-Time Uniform Resource Locators (OTU), which are only valid for a certain period of time or for a single access request to an associated electronic resource within a computer environment. One-Time URLs are generated using single secure hash algorithms or algorithms incorporating session and user information or other methods that provide an unique temporary identifier for an electronic resource. Usually, One-Time URLs (OTU) are used in online stores, portal applications, web-based information systems and search engines to provide access to temporarily valid electronic resources like web resources, personal information and data as well as to e-mail addresses, web links, electronic documents, such as PDF-documents, JPG-pictures etc. Furthermore, OTUs are used to mask real URLs of a web application to prevent unauthorized linking of content.
In conclusion, the above-mentioned state of the art fails to offer an access to electronic resources stored within a protected environment to the public by leaving it in the protected area, i.e. neither moving it into the public area nor duplicating the information in the public area. Additionally, all resources (protected or unprotected) referenced shall also be publicly accessible without explicit authentication and only within the scope of the request. Thereby, a temporary resource authorization may not comprise the declared security constraints of the web application container and therefore has to limit the access of the non-authenticated user to the publicly-made resource by disabling links and resource references leading from the electronic resource to protected or non-authorized parts of the data application container.
Considering FIG. 1, it is highly desirable that a non-authorized user 52 should be allowed to access a document D residing in a protected area 14 of a web application container of a web application server, without the need to relocate or copy the accessed electronic resource D to a non-protected area of the web application container. Additionally, all of the shared resources 24 associated with electronic resource D being needed to render the electronic resource correctly should also be automatically accessible within the scope of the user access request 16. Furthermore, it should be possible to selectively authorize access to another electronic resource H, G or I referenced from electronic resource D.